From 509ca889c999f36127d64e2bfb763a453c267e15 Mon Sep 17 00:00:00 2001 From: Evgeny Yurchenko Date: Sat, 21 May 2011 15:35:35 +0000 Subject: Adding gui to choose media options for interfaces. --- usr/local/www/interfaces.php | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index ead78cc..f7c80f8 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -711,6 +711,15 @@ if ($_POST['apply']) { } else { $wancfg['mss'] = $_POST['mss']; } + if (empty($_POST['mediaopt'])) { + unset($wancfg['media']); + unset($wancfg['mediaopt']); + } else { + $mediaopts = explode(' ', $_POST['mediaopt']); + if ($mediaopts[0] != ''){ $wancfg['media'] = $mediaopts[0]; } + if ($mediaopts[1] != ''){ $wancfg['mediaopt'] = $mediaopts[1]; } + else { unset($wancfg['mediaopt']); } + } if (isset($wancfg['wireless'])) { handle_wireless_post(); } @@ -897,6 +906,21 @@ function check_wireless_mode() { } } +// Find all possible media options for the interface +$mediaopts_list = array(); +$intrealname = $config['interfaces'][$if]['if']; +exec("/sbin/ifconfig -m $intrealname | grep \"media \"", $mediaopts); +foreach ($mediaopts as $mediaopt){ + preg_match("/media (.*)/", $mediaopt, $matches); + if (preg_match("/(.*) mediaopt (.*)/", $matches[1], $matches1)){ + // there is media + mediaopt like "media 1000baseT mediaopt full-duplex" + array_push($mediaopts_list, $matches1[1] . " " . $matches1[2]); + }else{ + // there is only media like "media 1000baseT" + array_push($mediaopts_list, $matches[1]); + } +} + $pgtitle = array(gettext("Interfaces"), $pconfig['descr']); $statusurl = "status_interfaces.php"; @@ -1153,6 +1177,26 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" "header size) will be in effect."); ?> + 0){ + $mediaopt_from_config = $config['interfaces'][$if]['media'] . ' ' . $config['interfaces'][$if]['mediaopt']; + echo ""; + echo '' . gettext("Speed and duplex") . ''; + echo ''; + echo '
'; + echo gettext("Here you can explicitely set up speed and duplex mode for the interface."); + echo ''; + echo ''; + } + ?> -- cgit v1.1 From 7a18dfa4ed218ad7b114d9cd52c008a76c811614 Mon Sep 17 00:00:00 2001 From: lgcosta Date: Mon, 23 May 2011 11:56:32 -0300 Subject: Fixes #1444. Implements the same fix that issue ermal made in #1522 to the console menu --- etc/inc/interfaces.inc | 4 ++-- etc/rc.initial.setlanip | 2 +- usr/local/www/interfaces.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index dae5495..393833f 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -932,9 +932,9 @@ function interfaces_configure() { return 0; } -function interface_reconfigure($interface = "wan") { +function interface_reconfigure($interface = "wan", $reloadall = false) { interface_bring_down($interface); - interface_configure($interface, true); + interface_configure($interface, $reloadall); } function interface_vip_bring_down($vip) { diff --git a/etc/rc.initial.setlanip b/etc/rc.initial.setlanip index c1f6ddc..e95acd4 100755 --- a/etc/rc.initial.setlanip +++ b/etc/rc.initial.setlanip @@ -219,7 +219,7 @@ $upperifname = strtoupper($interface); echo "\nPlease wait, saving and activating your changes to {$upperifname}..."; write_config(gettext("{$interface} IP configuration from console menu")); - interface_configure(strtolower($upperifname)); + interface_reconfigure(strtolower($upperifname)); echo " Reloading filter..."; filter_configure_sync(); echo "\n"; diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index ead78cc..899e209 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -310,7 +310,7 @@ if ($_POST['apply']) { $toapplylist = unserialize(file_get_contents("{$g['tmp_path']}/.interfaces.apply")); foreach ($toapplylist as $ifapply) { if (isset($config['interfaces'][$ifapply]['enable'])) - interface_reconfigure($ifapply); + interface_reconfigure($ifapply, true); else interface_bring_down($ifapply); } -- cgit v1.1 From a90896fd641a24d33af1db55efbf83c5cfac9974 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 24 May 2011 12:21:33 -0400 Subject: Move the code to touch needs_package_sync into the shell script portion of the post upgrade command. The PHP portion will fail spectacularly during the 1.2.3-to-2.0 upgrade trying to run the new binaries on the old OS. The shell script part still works. Fixes #1251 enough for what we need. The PHP code can never run properly there, but at least we can trigger the package reinstall and the rest can sort itself out when 2.0 boots the first time. --- tmp/post_upgrade_command | 10 +++++++--- tmp/post_upgrade_command.php | 3 --- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/tmp/post_upgrade_command b/tmp/post_upgrade_command index 99285e4..8603a53 100755 --- a/tmp/post_upgrade_command +++ b/tmp/post_upgrade_command @@ -2,7 +2,9 @@ /etc/rc.conf_mount_rw +PFSENSETYPE=`cat /etc/platform` KERNELTYPE=`cat /boot/kernel/pfsense_kernel.txt` + if [ $KERNELTYPE = "wrap" ]; then if [ -f /kernels/kernel_wrap.gz ]; then tar xzpf /kernels/kernel_wrap.gz --exclude loader.conf -C /boot/ @@ -26,6 +28,10 @@ if [ $KERNELTYPE = "UP" ]; then fi fi +if [ $PFSENSETYPE = "pfSense" ] || [ $PFSENSETYPE = "nanobsd" ]; then + touch /conf/needs_package_sync +fi + # Detect interactive logins and display the shell echo "if [ \`env | grep SSH_TTY | wc -l\` -gt 0 ] || [ \`env | grep cons25 | wc -l\` -gt 0 ]; then" > $CVS_CO_DIR/root/.shrc echo " /etc/rc.initial" >> $CVS_CO_DIR/root/.shrc @@ -37,7 +43,7 @@ echo " exit" >> $CVS_CO_DIR/root/.profile echo "fi" >> $CVS_CO_DIR/root/.profile # Now turn on or off serial console as needed -php -f /tmp/post_upgrade_command.php +/tmp/post_upgrade_command.php # Remove any previous MD5 sum files rm -f /root/*.md5 @@ -45,7 +51,6 @@ rm -f /root/*.md5 # File moved to pfSense php shell (pfSsh.php) rm -rf /usr/local/sbin/cvs_sync.sh -PFSENSETYPE=`cat /etc/platform` if [ $PFSENSETYPE = "embedded" ]; then cp /etc/ttys_wrap /etc/ttys fi @@ -53,4 +58,3 @@ fi if [ -f /usr/local/sbin/php ]; then rm /usr/local/sbin/php fi - diff --git a/tmp/post_upgrade_command.php b/tmp/post_upgrade_command.php index dfe9342..a188710 100755 --- a/tmp/post_upgrade_command.php +++ b/tmp/post_upgrade_command.php @@ -20,9 +20,6 @@ setup_serial_port(); - if($g['platform'] == "pfSense" or $g['platform'] == "nanobsd") - touch("/conf/needs_package_sync"); - $files_to_process = split("\n", file_get_contents("/etc/pfSense.obsoletedfiles")); foreach($files_to_process as $filename) if(file_exists($filename)) -- cgit v1.1 From bdb6bd30651fc219acf5a0171752164d680a1c7b Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 24 May 2011 12:49:21 -0400 Subject: Fix syntax error/typo. Fixes #1372 --- etc/inc/rrd.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/inc/rrd.inc b/etc/inc/rrd.inc index 4d1c456..8ae459b 100644 --- a/etc/inc/rrd.inc +++ b/etc/inc/rrd.inc @@ -394,7 +394,7 @@ function enable_rrd_graphing() { $rrdupdatesh .= " sleep 0.2\n"; $rrdupdatesh .= " echo \"quit\"\n"; $rrdupdatesh .= "}\n"; - $rrdupdatesh .= "OVPN=`list_current_users | nc -U {$g['varetc_path']}/openvpn/server{$vpnid}.sock | awk -F\",\" '/^CLIENT_LIST/ {print \$2}' | wc -l | awk '{print $1}'` &\n"; + $rrdupdatesh .= "OVPN=`list_current_users | nc -U {$g['varetc_path']}/openvpn/server{$vpnid}.sock | awk -F\",\" '/^CLIENT_LIST/ {print \$2}' | wc -l | awk '{print $1}'`\n"; $rrdupdatesh .= "$rrdtool update $rrddbpath$ifname$vpnusers N:\${OVPN}\n"; } -- cgit v1.1 From 4e12754d1ae3405a8910686a7fa0bb012c01d8da Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 24 May 2011 13:39:38 -0400 Subject: Fix automatic and manual outbound NAT for PPTP. Fixes #954 --- etc/inc/filter.inc | 10 ++++------ usr/local/www/firewall_nat_out.php | 12 ++++-------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index bdb3541..f0c718a 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1326,12 +1326,10 @@ function filter_nat_rules_generate() { } } /* PPTP subnet */ - if(isset($FilterIflist['pptp']) && $FilterIflist['pptp']['mode'] == "server" ) { - $pptp_subnet = $FilterIflist['pptp']['sn']; - if(is_private_ip($FilterIflist['pptp']['sa']) && !empty($pptp_subnet)) { - $numberofnathosts++; - $tonathosts .= "{$FilterIflist['pptp']['sa']}/{$pptp_subnet} "; - } + if(($config['pptpd']['mode'] == "server" ) && is_private_ip($config['pptpd']['remoteip'])) { + $pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip'])+$config['pptpd']['n_pptp_units'])); + $numberofnathosts += count($pptp_subnets); + $tonathosts .= implode(" ", $pptp_subnets) . " "; } /* PPPoE subnet */ if(isset($FilterIflist['pppoe']) && $FilterIflist['pppoe']['mode'] == "server") { diff --git a/usr/local/www/firewall_nat_out.php b/usr/local/www/firewall_nat_out.php index 4649795..e6b5900 100755 --- a/usr/local/www/firewall_nat_out.php +++ b/usr/local/www/firewall_nat_out.php @@ -126,15 +126,11 @@ if (isset($_POST['save']) && $_POST['save'] == "Save") { $a_out[] = $natent; /* PPTP subnet */ - if($config['pptpd']['mode'] == "server") { - if (is_ipaddr($config['pptpd']['localip'])) { - if($config['pptpd']['pptp_subnet'] <> "") - $ossubnet = $config['pptpd']['pptp_subnet']; - else - $ossubnet = "32"; - $osn = gen_subnet($config['pptpd']['localip'], $ossubnet); + if (($config['pptpd']['mode'] == "server") && is_private_ip($config['pptpd']['remoteip'])) { + $pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip'])+$config['pptpd']['n_pptp_units'])); + foreach ($pptp_subnets as $pptpsn) { $natent = array(); - $natent['source']['network'] = "{$osn}/{$ossubnet}"; + $natent['source']['network'] = $pptpsn; $natent['sourceport'] = ""; $natent['descr'] = gettext("Auto created rule for PPTP server"); $natent['target'] = ""; -- cgit v1.1 From ee6d2b525127a05121682b1c26dd153496385b36 Mon Sep 17 00:00:00 2001 From: Ermal Date: Tue, 24 May 2011 19:35:54 +0000 Subject: Resolves #1243. Properly handle pppoe new format of config so correct rulesets are generated. --- etc/inc/filter.inc | 65 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 39 insertions(+), 26 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index f0c718a..9727d59 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -695,9 +695,15 @@ function filter_get_vpns_list() { } } /* pppoe */ - if($config['pppoe']['remoteip']) { - if(is_subnet($tunnel['remote-subnet'])) { - $vpns_arr[] = $config['pppoe']['remoteip'] ."/". $config['pppoe']['pppoe_subnet']; + if (is_array($config['pppoes']['pppoe'])) { + foreach($config['pppoes']['pppoe'] as $pppoe) { + if ($pppoe['mode'] == "server") { + if(is_ipaddr($pppoe['remoteip'])) { + $pppoesub = gen_subnet($pppoe['remoteip'], $pppoe['pppoe_subnet']); + if (is_subnet($pppoesub)) + $vpns_arr[] = $pppoesub; + } + } } } if(!empty($vpns_arr)) { @@ -788,19 +794,24 @@ function filter_generate_optcfg_array() { $oic['virtual'] = true; $FilterIflist['l2tp'] = $oic; } - if($config['pppoe']['mode'] == "server") { - $oic = array(); - $oic['if'] = 'pppoe'; - $oic['descr'] = 'pppoe'; - $oic['ip'] = $config['pppoe']['localip']; - $oic['sa'] = $config['pppoe']['remoteip']; - $oic['mode'] = $config['pppoe']['mode']; - $oic['virtual'] = true; - if($config['pppoe']['pppoe_subnet'] <> "") - $oic['sn'] = $config['pppoe']['pppoe_subnet']; - else - $oic['sn'] = "32"; - $FilterIflist['pppoe'] = $oic; + if (is_array($config['pppoes']['pppoe'])) { + $FilterIflist['pppoe'] = array(); + foreach($config['pppoes']['pppoe'] as $pppoe) { + if ($pppoe['mode'] == "server") { + $oic = array(); + $oic['if'] = 'pppoe'; + $oic['descr'] = 'pppoe'; + $oic['ip'] = $pppoe['localip']; + $oic['sa'] = $pppoe['remoteip']; + $oic['mode'] = $pppoe['mode']; + $oic['virtual'] = true; + if($pppoe['pppoe_subnet'] <> "") + $oic['sn'] = $pppoe['pppoe_subnet']; + else + $oic['sn'] = "32"; + $FilterIflist['pppoe'][] = $oic; + } + } } /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { @@ -1332,11 +1343,12 @@ function filter_nat_rules_generate() { $tonathosts .= implode(" ", $pptp_subnets) . " "; } /* PPPoE subnet */ - if(isset($FilterIflist['pppoe']) && $FilterIflist['pppoe']['mode'] == "server") { - $pppoe_subnet = $FilterIflist['pppoe']['sn']; - if(is_private_ip($FilterIflist['pppoe']['sa']) && !empty($pppoe_subnet)) { - $numberofnathosts++; - $tonathosts .= "{$FilterIflist['pppoe']['sa']}/{$pppoe_subnet} "; + if (is_array($FilterIflist['pppoe'])) { + foreach ($FilterIflist['pppoe'] as $pppoe) { + if(is_private_ip($pppoe['ip'])) { + $numberofnathosts++; + $tonathosts .= "{$pppoe['ip']}/{$pppoe['sn']} "; + } } } /* L2TP subnet */ @@ -1640,9 +1652,12 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $src = "{$pptpsa}/{$pptpsn}"; break; case 'pppoe': - $pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']); - $pppoesn = $FilterIflist['pppoe']['sn']; - $src = "{$pppoesa}/{$pppoesn}"; + /* XXX: This needs to be fixed somehow! */ + if (is_array($FilterIflist['pppoe'])) { + $pppoesa = gen_subnet($FilterIflist['pppoe'][0]['ip'], $FilterIflist['pppoe'][0]['sn']); + $pppoesn = $FilterIflist['pppoe'][0]['sn']; + $src = "{$pppoesa}/{$pppoesn}"; + } break; } if(isset($rule[$target]['not'])) @@ -1701,7 +1716,6 @@ function filter_generate_user_rule($rule) { } update_filter_reload_status("Creating filter rules {$rule['descr']} ..."); $pptpdcfg = $config['pptpd']; - $pppoecfg = $config['pppoe']; $int = ""; $aline = array(); @@ -2011,7 +2025,6 @@ function filter_rules_generate() { } $pptpdcfg = $config['pptpd']; - $pppoecfg = $config['pppoe']; $ipfrules = ""; //$ipfrules .= discover_pkg_rules("filter"); -- cgit v1.1 From 7e107d2ef73bc233113fd0cddecd5e0ac21b2e9b Mon Sep 17 00:00:00 2001 From: Ermal Date: Tue, 24 May 2011 20:01:11 +0000 Subject: Use remoteips here. --- etc/inc/filter.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 9727d59..c644379 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1347,7 +1347,7 @@ function filter_nat_rules_generate() { foreach ($FilterIflist['pppoe'] as $pppoe) { if(is_private_ip($pppoe['ip'])) { $numberofnathosts++; - $tonathosts .= "{$pppoe['ip']}/{$pppoe['sn']} "; + $tonathosts .= "{$pppoe['sa']}/{$pppoe['sn']} "; } } } -- cgit v1.1 From d1a44a5f1c64d905f3389eff0ce747a9b810045a Mon Sep 17 00:00:00 2001 From: Ermal Date: Tue, 24 May 2011 20:05:00 +0000 Subject: Correct the interface alias generation. --- etc/inc/filter.inc | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index c644379..8463d3c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -513,8 +513,15 @@ function filter_generate_aliases() { $aliases = "loopback = \"{ lo0 }\"\n"; foreach ($FilterIflist as $if => $ifcfg) { - $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; - $aliases .= " }\"\n"; + if (is_array($ifcfg)) { + if ($ifcfg[0]['if'] == 'pppoe') { + $aliases .= "{$ifcfg[0]['descr']} = \"{ {$ifcfg[0]['if']}"; + $aliases .= " }\"\n"; + } + } else { + $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; + $aliases .= " }\"\n"; + } } $aliases .= "\n#SSH Lockout Table\n"; -- cgit v1.1 From 77bd744e8ffe184168489f465c68573cdb66b7c3 Mon Sep 17 00:00:00 2001 From: Ermal Date: Tue, 24 May 2011 20:11:59 +0000 Subject: Correct the interface alias generation. --- etc/inc/filter.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 8463d3c..11ec827 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -513,9 +513,9 @@ function filter_generate_aliases() { $aliases = "loopback = \"{ lo0 }\"\n"; foreach ($FilterIflist as $if => $ifcfg) { - if (is_array($ifcfg)) { - if ($ifcfg[0]['if'] == 'pppoe') { - $aliases .= "{$ifcfg[0]['descr']} = \"{ {$ifcfg[0]['if']}"; + if (is_array($ifcfg['pppoe'])) { + if ($ifcfg['pppoe'][0]['if'] == 'pppoe') { + $aliases .= "{$ifcfg['pppoe'][0]['descr']} = \"{ {$ifcfg['pppoe'][0]['if']}"; $aliases .= " }\"\n"; } } else { -- cgit v1.1 From b7475a811cf4620112673dc78c5d0afacb4a38c1 Mon Sep 17 00:00:00 2001 From: Ermal Date: Tue, 24 May 2011 20:13:10 +0000 Subject: Correct the interface alias generation. Wrong copy-pasto before. --- etc/inc/filter.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 11ec827..67bc1f3 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -513,9 +513,9 @@ function filter_generate_aliases() { $aliases = "loopback = \"{ lo0 }\"\n"; foreach ($FilterIflist as $if => $ifcfg) { - if (is_array($ifcfg['pppoe'])) { - if ($ifcfg['pppoe'][0]['if'] == 'pppoe') { - $aliases .= "{$ifcfg['pppoe'][0]['descr']} = \"{ {$ifcfg['pppoe'][0]['if']}"; + if (is_array($ifcfg[0])) { + if ($ifcfg[0]['if'] == 'pppoe') { + $aliases .= "{$ifcfg[0]['descr']} = \"{ {$ifcfg[0]['if']}"; $aliases .= " }\"\n"; } } else { -- cgit v1.1 From f6f1c8474875e91cf297abf28e2fad65ea6152f7 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 25 May 2011 11:02:53 +0000 Subject: Update some code to be more readble and more compliant to php5 --- etc/inc/voucher.inc | 10 ++++------ usr/local/www/services_captiveportal_vouchers.php | 3 +-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index ec59716..8d41e05 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -164,8 +164,7 @@ function voucher_auth($voucher_received, $test = 0) { $tickets_per_roll = array(); $minutes_per_roll = array(); if (is_array($config['voucher']['roll'])) { - $a_roll = &$config['voucher']['roll']; - foreach ($a_roll as $rollent) { + foreach ($config['voucher']['roll'] as $rollent) { $tickets_per_roll[$rollent['number']] = $rollent['count']; $minutes_per_roll[$rollent['number']] = $rollent['minutes']; } @@ -192,7 +191,7 @@ function voucher_auth($voucher_received, $test = 0) { list($status, $roll, $nr) = explode(" ", $result); if ($status == "OK") { if (!$first_voucher) { - // store first voucher. Thats the one we give the timecredit + // store first voucher. Thats the one we give the timecredit $first_voucher = $voucher; $first_voucher_roll = $roll; } @@ -352,11 +351,10 @@ function voucher_configure($sync = false) { if (($g['booting'] || $sync == true) && is_array($config['voucher']['roll'])) { - // create active and used DB per roll on ramdisk from config - $a_roll = &$config['voucher']['roll']; $voucherlck = lock('voucher', LOCK_EX); - foreach ($a_roll as $rollent) { + // create active and used DB per roll on ramdisk from config + foreach ($config['voucher']['roll'] as $rollent) { $roll = $rollent['number']; voucher_write_used_db($roll, $rollent['used']); diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index 203906a..19171f4 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -116,9 +116,8 @@ if ($_GET['act'] == "del") { exit; } } - /* print all vouchers of the selected roll */ -if ($_GET['act'] == "csv") { +else if ($_GET['act'] == "csv") { $privkey = base64_decode($config['voucher']['privatekey']); if (strstr($privkey,"BEGIN RSA PRIVATE KEY")) { $fd = fopen("{$g['varetc_path']}/voucher.private","w"); -- cgit v1.1 From f0e80b72a3c359f52596e9b6948178ad48d6bb1b Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 25 May 2011 09:35:23 -0400 Subject: Correct dhcpd statement for unknown-clients. Fixes #1555 --- etc/inc/services.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 7108bc3..e7028c6 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -275,7 +275,7 @@ EOPP; $dhcpdconf .= " deny dynamic bootp clients;\n"; if (isset($dhcpifconf['denyunknown'])) - $dhcpdconf .= " deny unknown clients;\n"; + $dhcpdconf .= " deny unknown-clients;\n"; if ($dhcpifconf['gateway']) $routers = $dhcpifconf['gateway']; -- cgit v1.1 From c749ef62ec8ecb3d7f38f7de49e5029631614ef5 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 25 May 2011 15:38:54 +0000 Subject: Check that the returned ip is an ip_address and not blindly trust the returned information. --- etc/inc/dyndns.class | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 150dedc..8f9a695 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -795,13 +795,15 @@ if($successful_update == true) { /* Write WAN IP to cache file */ $wan_ip = $this->_checkIP(); - $currentTime = time(); - log_error("phpDynDNS: updating cache file {$this->_cacheFile}: {$wan_ip}"); - conf_mount_rw(); - $file = fopen($this->_cacheFile, 'w'); - fwrite($file, $wan_ip.':'.$currentTime); - fclose($file); - conf_mount_ro(); + if (is_ipaddr($wan_ip)) { + $currentTime = time(); + log_error("phpDynDNS: updating cache file {$this->_cacheFile}: {$wan_ip}"); + conf_mount_rw(); + $file = fopen($this->_cacheFile, 'w'); + fwrite($file, $wan_ip.':'.$currentTime); + fclose($file); + conf_mount_ro(); + } } $this->status = $status; log_error($status); @@ -957,7 +959,12 @@ $ip_result_decoded = urldecode($ip_result_page); preg_match('/Current IP Address: (.*)<\/body>/', $ip_result_decoded, $matches); $ip_address = trim($matches[1]); - log_error("DynDns debug information: {$ip_address} extracted from {$hosttocheck}"); + if (is_ipaddr($ip_address)) + log_error("DynDns debug information: {$ip_address} extracted from {$hosttocheck}"); + else { + log_error("DynDns debug information: IP address could not be extracted from {$hosttocheck}"); + return 0; + } } else log_error("DynDns debug information: {$ip_address} extracted from local system."); -- cgit v1.1 From 7788c76a4e9e04b356f40f2129ff5309617dad99 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 25 May 2011 12:29:09 -0400 Subject: Don't overwrite the $target variable. Fixes #1415 --- etc/inc/filter.inc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 67bc1f3..3ce44a3 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1039,7 +1039,6 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $target = $FilterIflist[$rule['target']]['ip']; else return ""; - $starting_localhost_port_tmp = $starting_localhost_port; $toomanyports = false; /* only install reflection rules for < 19991 items */ @@ -1088,7 +1087,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $toadd_array = array_merge($toadd_array, range($loc_pt[0], $loc_pt[0] + $delta)); if(!empty($toadd_array)) { - $target = explode(" ", trim($target)); + $rtarget = explode(" ", trim($target)); foreach($toadd_array as $tda) { if (empty($tda)) continue; @@ -1100,7 +1099,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $socktype = "stream"; $dash_u = ""; } - foreach ($target as $targip) { + foreach ($rtarget as $targip) { if (empty($targip)) continue; $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$reflect_proto}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$targip} {$tda}\n"; -- cgit v1.1 From dd575ea43699b452e1e925518bc9e59f5db78d6f Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 25 May 2011 16:41:26 +0000 Subject: Improve some code and check return value from _checkIP. --- etc/inc/dyndns.class | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 8f9a695..4697da7 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -795,15 +795,14 @@ if($successful_update == true) { /* Write WAN IP to cache file */ $wan_ip = $this->_checkIP(); - if (is_ipaddr($wan_ip)) { + conf_mount_rw(); + if ($wan_ip > 0) { $currentTime = time(); log_error("phpDynDNS: updating cache file {$this->_cacheFile}: {$wan_ip}"); - conf_mount_rw(); - $file = fopen($this->_cacheFile, 'w'); - fwrite($file, $wan_ip.':'.$currentTime); - fclose($file); - conf_mount_ro(); - } + @file_put_contents($this->_cacheFile, "{$wan_ip}:{$currentTime}"); + } else + @unlink($this->_cacheFile); + conf_mount_ro(); } $this->status = $status; log_error($status); @@ -861,6 +860,10 @@ $currentTime = time(); $wan_ip = $this->_checkIP(); + if ($wan_ip == 0) { + log_error("DynDns: Current WAN IP could not be determined."); + return true; + } $this->_dnsIP = $wan_ip; log_error("DynDns: Current WAN IP: {$wan_ip}"); @@ -872,11 +875,9 @@ log_error("DynDns: Cached IP: {$cacheIP}"); } else { conf_mount_rw(); - $file = fopen($this->_cacheFile, 'w'); - fwrite($file, '0.0.0.0:'.$currentTime); - fclose($file); - conf_mount_ro(); $cacheIP = '0.0.0.0'; + @file_put_contents($this->_cacheFile, "0.0.0.0:{$currentTime}"); + conf_mount_ro(); $cacheTime = $currentTime; $initial = true; log_error("DynDns: No Cached IP found."); @@ -946,7 +947,7 @@ } if ($try >= 3) { log_error("Dyndns debug information: Could not resolve {$hosttocheck} to ip using interface ip {$ip_address}."); - return $ip_address; /* XXX: Might return private ip address! */ + return 0; } $ip_ch = curl_init("http://{$checkip}"); curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1); -- cgit v1.1 From 193ee786a468c7fdcc3fc9086d1747b3d879c4a5 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 25 May 2011 16:51:53 +0000 Subject: Actually add more error checking and do not schedule a scan if it is not possible to retreive the wan ip address. --- etc/inc/dyndns.class | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 4697da7..d8a350b 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -861,8 +861,8 @@ $wan_ip = $this->_checkIP(); if ($wan_ip == 0) { - log_error("DynDns: Current WAN IP could not be determined."); - return true; + log_error("DynDns: Current WAN IP could not be determined, skipping update process."); + return false; } $this->_dnsIP = $wan_ip; log_error("DynDns: Current WAN IP: {$wan_ip}"); @@ -935,6 +935,8 @@ log_error("DynDns: _checkIP() starting."); $ip_address = find_interface_ip($this->_if); + if (!is_ipaddr($ip_address)) + return 0; $this->_ifIP = $ip_address; if (is_private_ip($ip_address)) { $hosttocheck = "checkip.dyndns.org"; -- cgit v1.1 From dceff62e8144b56cb292e1a3fd69abe307072625 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 25 May 2011 17:08:22 +0000 Subject: Put some debug info during dyndns update under debug conditionals. --- etc/inc/dyndns.class | 17 +++++++++++------ etc/inc/services.inc | 2 -- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index d8a350b..01209b9 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -854,8 +854,10 @@ * | work with other systems. pfSense base is FreeBSD. */ function _detectChange() { - - log_error("DynDns: _detectChange() starting."); + global $debug; + + if ($debug) + log_error("DynDns: _detectChange() starting."); $currentTime = time(); @@ -865,14 +867,14 @@ return false; } $this->_dnsIP = $wan_ip; - log_error("DynDns: Current WAN IP: {$wan_ip}"); + $log_error = "DynDns: Current WAN IP: {$wan_ip} "; if (file_exists($this->_cacheFile)) { $contents = file_get_contents($this->_cacheFile); list($cacheIP,$cacheTime) = split(':', $contents); $this->_debug($cacheIP.'/'.$cacheTime); $initial = false; - log_error("DynDns: Cached IP: {$cacheIP}"); + $log_error .= "Cached IP: {$cacheIP} "; } else { conf_mount_rw(); $cacheIP = '0.0.0.0'; @@ -880,8 +882,9 @@ conf_mount_ro(); $cacheTime = $currentTime; $initial = true; - log_error("DynDns: No Cached IP found."); + $log_error .= "No Cached IP found."; } + log_error($log_error); /* use 2419200 for dyndns, dhs, easydns, noip, hn * zoneedit, dyns, ods @@ -931,8 +934,10 @@ conf_mount_ro(); } function _checkIP() { + global $debug; - log_error("DynDns: _checkIP() starting."); + if ($debug) + log_error("DynDns: _checkIP() starting."); $ip_address = find_interface_ip($this->_if); if (!is_ipaddr($ip_address)) diff --git a/etc/inc/services.inc b/etc/inc/services.inc index e7028c6..d5c9ada 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -606,8 +606,6 @@ function services_dyndns_configure_client($conf) { /* load up the dyndns.class */ require_once("dyndns.class"); - log_error("DynDns: Running updatedns()"); - $dns = new updatedns($dnsService = $conf['type'], $dnsHost = $conf['host'], $dnsUser = $conf['username'], -- cgit v1.1 From 05771a248503a0af661195f3e8759fc04370ea2b Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 25 May 2011 20:28:10 +0000 Subject: Provide a voucher_expire function so that voucher can be expired through a POST. --- etc/inc/voucher.inc | 355 +++++++++++++++------- usr/local/www/services_captiveportal_vouchers.php | 6 + 2 files changed, 249 insertions(+), 112 deletions(-) diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index 8d41e05..e6a44c4 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -37,6 +37,53 @@ if(!function_exists('captiveportal_syslog')) require_once("captiveportal.inc"); +function xmlrpc_sync_voucher_expire($vouchers, $syncip, $port, $password, $username) { + global $g, $config; + require_once("xmlrpc.inc"); + if($port == "443") + $url = "https://{$syncip}"; + else + $url = "http://{$syncip}"; + + /* Construct code that is run on remote machine */ + $method = 'pfsense.exec_php'; + $execcmd = <<setCredentials($username, $password); + $resp = $cli->send($msg, "250"); + if(!is_object($resp)) { + $error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", ""); + return false; + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Error code received", ""); + return false; + } else { + log_error("CaptivePortalVoucherSync XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + $toreturn = XML_RPC_Decode($resp->value()); + + return $toreturn; +} + function xmlrpc_sync_voucher_disconnect($dbent, $syncip, $port, $password, $username, $term_cause = "1", $stop_time = null) { global $g, $config; require_once("xmlrpc.inc"); @@ -138,6 +185,93 @@ EOF; return $toreturn['timeleft']; } +function voucher_expire($voucher_received) { + global $g, $config; + + $voucherlck = lock('voucher', LOCK_EX); + + // XMLRPC Call over to the master Voucher node + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; + xmlrpc_sync_voucher_expire($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); + } + + // read rolls into assoc array with rollid as key and minutes as value + $tickets_per_roll = array(); + $minutes_per_roll = array(); + if (is_array($config['voucher']['roll'])) { + foreach ($config['voucher']['roll'] as $rollent) { + $tickets_per_roll[$rollent['number']] = $rollent['count']; + $minutes_per_roll[$rollent['number']] = $rollent['minutes']; + } + } + + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $active_dirty = false; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + $active_dirty = true; + unset($active_vouchers[$roll][$voucher]); + } + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + // mark bit for this voucher as used + if (!(ord($bitstring[$roll][$pos]) & $mask)) + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + captiveportal_syslog("{$voucher} ({$roll}/{$nr}) forced to expire"); + } else + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } else + // hmm, thats weird ... not what I expected + captiveportal_syslog("$voucher invalid: $result !!"); + } + + // Refresh active DBs + if ($active_dirty == true) { + foreach ($active_vouchers as $roll => $active) + voucher_write_active_db($roll, $active); + } + + // Write back the used DB's + if (is_array($bitstring)) { + foreach ($bitstring as $roll => $used) { + if(is_array($used)) { + foreach($used as $u) + voucher_write_used_db($roll, base64_encode($u)); + } else { + voucher_write_used_db($roll, base64_encode($used)); + } + } + } + + unlock($voucherlck); + + return true; +} + /* * Authenticate a voucher and return the remaining time credit in minutes * if $test is set, don't mark the voucher as used nor add it to the list @@ -146,17 +280,16 @@ EOF; * but return a more verbose error and result message back */ function voucher_auth($voucher_received, $test = 0) { - global $g, $config; + global $g, $config; - $voucherlck = lock('voucher', LOCK_EX); + $voucherlck = lock('voucher', LOCK_EX); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_time_used = xmlrpc_sync_used_voucher($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); } @@ -170,105 +303,102 @@ function voucher_auth($voucher_received, $test = 0) { } } - // split into an array. Useful for multiple vouchers given - $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); - $error = 0; - $test_result = array(); // used to display for voucher test option in GUI - $total_minutes = 0; - $first_voucher = ""; - $first_voucher_roll = 0; - - // go through all received vouchers, check their valid and extract - // Roll# and Ticket# using the external readvoucher binary - - foreach ($a_vouchers_received as $voucher) { - - $v = escapeshellarg($voucher); - if (strlen($voucher) < 3) - continue; // seems too short to be a voucher! - - $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); - list($status, $roll, $nr) = explode(" ", $result); - if ($status == "OK") { - if (!$first_voucher) { - // store first voucher. Thats the one we give the timecredit - $first_voucher = $voucher; - $first_voucher_roll = $roll; - } - // check if we have this ticket on a registered roll for this ticket - if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { - // voucher is from a registered roll. - if (!isset($active_vouchers[$roll])) - $active_vouchers[$roll] = voucher_read_active_db($roll); - // valid voucher. Store roll# and ticket# - if (!empty($active_vouchers[$roll][$voucher])) { - list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); - // we have an already active voucher here. - $remaining = intval((($timestamp + (60*$minutes)) - time())/60); - $test_result[] = "$voucher ($roll/$nr) active and good for $remaining Minutes"; - $total_minutes += $remaining; - } else { - // voucher not used. Check if ticket Id is on the roll (not too high) - // and if the ticket is marked used. - // check if voucher already marked as used - if (!isset($bitstring[$roll])) - $bitstring[$roll] = voucher_read_used_db($roll); - $pos = $nr >> 3; // divide by 8 -> octet - $mask = 1 << ($nr % 8); - if (ord($bitstring[$roll][$pos]) & $mask) { - $test_result[] = "$voucher ($roll/$nr) already used and expired"; + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $error = 0; + $test_result = array(); // used to display for voucher test option in GUI + $total_minutes = 0; + $first_voucher = ""; + $first_voucher_roll = 0; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + if (!$first_voucher) { + // store first voucher. Thats the one we give the timecredit + $first_voucher = $voucher; + $first_voucher_roll = $roll; + } + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); + // we have an already active voucher here. + $remaining = intval((($timestamp + (60*$minutes)) - time())/60); + $test_result[] = "$voucher ($roll/$nr) active and good for $remaining Minutes"; + $total_minutes += $remaining; + } else { + // voucher not used. Check if ticket Id is on the roll (not too high) + // and if the ticket is marked used. + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + if (ord($bitstring[$roll][$pos]) & $mask) { + $test_result[] = "$voucher ($roll/$nr) already used and expired"; captiveportal_syslog("$voucher ($roll/$nr) already used and expired"); - $total_minutes = -1; // voucher expired - $error++; - } else { - // mark bit for this voucher as used - $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); - $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; - $total_minutes += $minutes_per_roll[$roll]; - } - } - } else { - $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; - captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); - } - } else { - // hmm, thats weird ... not what I expected - $test_result[] = "$voucher invalid: $result !!"; - captiveportal_syslog("$voucher invalid: $result !!"); - $error++; - } - } + $total_minutes = -1; // voucher expired + $error++; + } else { + // mark bit for this voucher as used + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; + $total_minutes += $minutes_per_roll[$roll]; + } + } + } else { + $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } + } else { + // hmm, thats weird ... not what I expected + $test_result[] = "$voucher invalid: $result !!"; + captiveportal_syslog("$voucher invalid: $result !!"); + $error++; + } + } - // if this was a test call, we're done. Return the result. - if ($test) { - if ($error) { - $test_result[] = "Access denied!"; - } else { - $test_result[] = "Access granted for $total_minutes Minutes in total."; - } - unlock($voucherlck); - return $test_result; - } + // if this was a test call, we're done. Return the result. + if ($test) { + if ($error) { + $test_result[] = "Access denied!"; + } else { + $test_result[] = "Access granted for $total_minutes Minutes in total."; + } + unlock($voucherlck); - // if we had an error (one of the vouchers is invalid), return 0. - // Discussion: we could return the time remaining for good vouchers, but then - // the user wouldn't know that he used at least one invalid voucher. + return $test_result; + } - if ($error) { + // if we had an error (one of the vouchers is invalid), return 0. + // Discussion: we could return the time remaining for good vouchers, but then + // the user wouldn't know that he used at least one invalid voucher. + if ($error) { unlock($voucherlck); - if ($total_minutes > 0) // probably not needed, but want to make sure - $total_minutes = 0; // we only report -1 (expired) or 0 (no access) - return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS - } + if ($total_minutes > 0) // probably not needed, but want to make sure + $total_minutes = 0; // we only report -1 (expired) or 0 (no access) + return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS + } // If we did a XMLRPC sync earlier check the timeleft - if(!empty($a_voucher['vouchersyncdbip'])) + if (!empty($config['voucher']['vouchersyncdbip'])) if($remote_time_used < $total_minutes) $total_minutes = $remote_time_used; - // All given vouchers were valid and this isn't simply a test. - // Write back the used DB's - + // All given vouchers were valid and this isn't simply a test. + // Write back the used DB's if (is_array($bitstring)) { foreach ($bitstring as $roll => $used) { if(is_array($used)) { @@ -280,24 +410,23 @@ function voucher_auth($voucher_received, $test = 0) { } } - // Active DB: we only add the first voucher if multiple given - // and give that one all the time credit. This allows the user to logout and - // log in later using just the first voucher. It also keeps username limited - // to one voucher and that voucher shows the correct time credit in 'active vouchers' - - if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { - list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); - } else { - $timestamp = time(); // new voucher - $minutes = $total_minutes; - } + // Active DB: we only add the first voucher if multiple given + // and give that one all the time credit. This allows the user to logout and + // log in later using just the first voucher. It also keeps username limited + // to one voucher and that voucher shows the correct time credit in 'active vouchers' + if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { + list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); + } else { + $timestamp = time(); // new voucher + $minutes = $total_minutes; + } - $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; - voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); + $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; + voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); - unlock($voucherlck); + unlock($voucherlck); - return $total_minutes; + return $total_minutes; } function voucher_configure($sync = false) { @@ -430,6 +559,8 @@ function voucher_read_active_db($roll) { function voucher_write_active_db($roll, $active) { global $g; + if (!is_array($active)) + return; $fd = fopen("{$g['vardb_path']}/voucher_active_$roll.db", "w"); if ($fd) { foreach($active as $voucher => $value) diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index 19171f4..d5c8347 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -163,6 +163,12 @@ $pconfig['vouchersyncusername'] = $config['voucher']['vouchersyncusername']; if ($_POST) { unset($input_errors); + + if ($_POST['postafterlogin']) { + voucher_expire($_POST['voucher_expire']); + exit; + } + $pconfig = $_POST; /* input validation */ -- cgit v1.1 From c206a2ab96e835672bb073b0579d0a3290296067 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 25 May 2011 20:36:01 +0000 Subject: Disable csrf checks when posting from scripts. --- usr/local/www/services_captiveportal_vouchers.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index d5c8347..e1c54b1 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -39,6 +39,8 @@ $statusurl = "status_captiveportal_vouchers.php"; $logurl = "diag_logs_auth.php"; +if ($_POST['postafterlogin']) + $nocsrf= true; require("guiconfig.inc"); require("functions.inc"); require("filter.inc"); -- cgit v1.1 From 5c723d9fccffe78e1650c574427100760d0faf5e Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 26 May 2011 00:00:57 +0200 Subject: Remove out-dated RRD file as it will cause broken images to appear on RRD graphs page. --- conf.default/config.xml | 2 +- etc/inc/globals.inc | 2 +- etc/inc/upgrade_config.inc | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/conf.default/config.xml b/conf.default/config.xml index b291c38..3a0bb64 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -1,7 +1,7 @@ - 7.8 + 7.9 pfsense_ng diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 7037933..6993148 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -91,7 +91,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "7.8", + "latest_config" => "7.9", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index a158ded..8a1bd68 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2490,4 +2490,10 @@ function upgrade_077_to_078() { $config['pptpd']['radius'] = $radarr; } } + +function upgrade_078_to_079() { + /* Delete old and unused RRD file */ + unlink_if_exists("/var/db/rrd/captiveportal-totalusers.rrd"); +} + ?> -- cgit v1.1 From 474f36d1b277b3e0732496bf0ca8aa1659710809 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Wed, 25 May 2011 18:00:54 -0400 Subject: * Add is_ipaddr_configured() so that people do not need to reinvent the wheel for this task * Check to make sure the administrator is not entering the IP address of the same host preventing a issue where the firewall will sync the voucher database to itself and cause the webConfigurator to crash. --- etc/inc/interfaces.inc | 2 +- etc/inc/pfsense-utils.inc | 19 ++++++++++++++++++- usr/local/www/services_captiveportal_vouchers.php | 2 ++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 393833f..63f380a 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -3728,4 +3728,4 @@ function get_vip_descr($ipaddress) { return ""; } -?> +?> \ No newline at end of file diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index ca16634..a673685 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2207,4 +2207,21 @@ function load_mac_manufacturer_table() { } -?> +/****f* pfsense-utils/is_ipaddr_configured + * NAME + * is_ipaddr_configured + * INPUTS + * IP Address to check. + * RESULT + * returns true if the IP Address is + * configured and present on this device. +*/ +function is_ipaddr_configured($ipaddr) { + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($ipaddr, $ilips) == 0) + return true; + } +} + +?> \ No newline at end of file diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index e1c54b1..bdef534 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -206,6 +206,8 @@ if ($_POST) { $input_errors[] = gettext("This doesn't look like an RSA Public key."); if ($_POST['privatekey'] && (!strstr($_POST['privatekey'],"BEGIN RSA PRIVATE KEY"))) $input_errors[] = gettext("This doesn't look like an RSA Private key."); + if ($_POST['vouchersyncdbip'] && (is_ipaddr_configured($_POST['vouchersyncdbip']))) + $input_errors[] = gettext("You cannot sync the voucher database to this host (itself)."); } if (!$input_errors) { -- cgit v1.1 From 838e4eb8762a000509cf98e3bd5e2a2cceac06ff Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 26 May 2011 00:43:28 +0200 Subject: Rather make use of $global variable for RRD path. --- etc/inc/upgrade_config.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 8a1bd68..c380378 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2492,8 +2492,9 @@ function upgrade_077_to_078() { } function upgrade_078_to_079() { + global $g; /* Delete old and unused RRD file */ - unlink_if_exists("/var/db/rrd/captiveportal-totalusers.rrd"); + unlink_if_exists("{$g['vardb_path']}/rrd/captiveportal-totalusers.rrd"); } ?> -- cgit v1.1 From d65962a7736ae9917182007f4ee0862193fc910f Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Wed, 25 May 2011 19:42:48 -0400 Subject: Adding a new hook system for firewall nat edit and firewall rules edit page. Basically if the directory exists it will suck in the files to extend these pags. /usr/local/pkg/firewall_nat/input_validation /usr/local/pkg/firewall_nat/pre_write_config /usr/local/pkg/firewall_nat/htmlphpearly /usr/local/pkg/firewall_nat/htmlphplate /usr/local/pkg/firewall_rules/input_validation /usr/local/pkg/firewall_rules/pre_write_config /usr/local/pkg/firewall_rules/htmlphpearly /usr/local/pkg/firewall_rules/htmlphplate --- etc/inc/pfsense-utils.inc | 13 +++++++++++++ usr/local/www/firewall_nat_edit.php | 15 +++++++++++++++ usr/local/www/firewall_rules_edit.php | 15 +++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index a673685..6241a1e 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2224,4 +2224,17 @@ function is_ipaddr_configured($ipaddr) { } } +function pfSense_handle_custom_code($src_dir) { + // Allow extending of the nat edit page and include custom input validation + if(is_dir("$src_dir")) { + $cf = glob($src_dir); + foreach($cf as $nf) { + if($nf == "." || $nf == "..") + continue; + // Include the extra handler + include("$src_dir/$nf"); + } + } +} + ?> \ No newline at end of file diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 3dc1d83..9895312 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -290,6 +290,9 @@ if ($_POST) { } } + // Allow extending of the nat edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation"); + if (!$input_errors) { $natent = array(); @@ -422,6 +425,9 @@ if ($_POST) { mark_subsystem_dirty('natconf'); + // Allow extending of the nat edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config"); + write_config(); header("Location: firewall_nat.php"); @@ -440,6 +446,11 @@ include("fbegin.inc"); ?>
+ + @@ -817,6 +828,10 @@ include("fbegin.inc"); ?> + diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index c051518..d673df8 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -401,6 +401,9 @@ if ($_POST) { $input_errors[] = gettext("If you specify TCP flags that should be set you should specify out of which flags as well."); } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/input_validation"); + if (!$input_errors) { $filterent = array(); $filterent['id'] = $_POST['ruleid']>0?$_POST['ruleid']:''; @@ -554,6 +557,10 @@ if ($_POST) { } filter_rules_sort(); + + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/pre_write_config"); + write_config(); mark_subsystem_dirty('filter'); @@ -596,6 +603,10 @@ include("head.inc"); + +
   
@@ -1381,6 +1392,10 @@ include("head.inc");
  -- cgit v1.1 From e4a8ed97395866b353f99f5473e1fd413f5a05a0 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Wed, 25 May 2011 19:51:00 -0400 Subject: Add function header --- etc/inc/pfsense-utils.inc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 6241a1e..01d3762 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2224,6 +2224,14 @@ function is_ipaddr_configured($ipaddr) { } } +/****f* pfsense-utils/pfSense_handle_custom_code + * NAME + * pfSense_handle_custom_code + * INPUTS + * directory name to process + * RESULT + * globs the directory and includes the files + */ function pfSense_handle_custom_code($src_dir) { // Allow extending of the nat edit page and include custom input validation if(is_dir("$src_dir")) { -- cgit v1.1 From 1a6cb6e7630210504d450f3bd4364878eea6b0b8 Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 26 May 2011 13:41:12 +0200 Subject: Remove decimals from cumulative users graph. --- usr/local/www/status_rrd_graph_img.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/local/www/status_rrd_graph_img.php b/usr/local/www/status_rrd_graph_img.php index a2aa6d2..15a096b 100644 --- a/usr/local/www/status_rrd_graph_img.php +++ b/usr/local/www/status_rrd_graph_img.php @@ -940,8 +940,9 @@ elseif((strstr($curdatabase, "-loggedin.rrd")) && (file_exists("$rrddbpath$curda $graphcmd .= "--height 200 --width 620 "; $graphcmd .= "DEF:\"$curif-loggedinusers=$rrddbpath$curdatabase:loggedinusers:AVERAGE\" "; $graphcmd .= "CDEF:\"$curif-totalusers_t=PREV,UN,0,PREV,IF,$curif-loggedinusers,+\" "; - $graphcmd .= "AREA:\"$curif-totalusers_t#{$colorcaptiveportalusers[0]}:Total logged in users\" "; - $graphcmd .= "GPRINT:\"$curif-totalusers_t:MAX:%8.0lf \\n\" "; + $graphcmd .= "CDEF:\"$curif-totalusers_d=$curif-totalusers_t,FLOOR\" "; + $graphcmd .= "AREA:\"$curif-totalusers_d#{$colorcaptiveportalusers[0]}:Total logged in users\" "; + $graphcmd .= "GPRINT:\"$curif-totalusers_d:MAX:%8.0lf \\n\" "; $graphcmd .= "COMMENT:\"\\n\" "; $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t`date +\"%b %d %H\:%M\:%S %Y\"`\" "; } -- cgit v1.1 From adcf909ae96b5c573ce868bff22442b00f857f47 Mon Sep 17 00:00:00 2001 From: Ermal Date: Thu, 26 May 2011 19:39:58 +0000 Subject: Just use the long reference here instead of creating potential dangerous reference. --- etc/inc/captiveportal.inc | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index a66c6cb..336b8e8 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -809,12 +809,11 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t captiveportal_free_ipfw_ruleno($dbent[1]); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_status = xmlrpc_sync_voucher_disconnect($dben, $syncip, $syncport, $syncpass, $vouchersyncusername, $term_cause, $stop_time); } -- cgit v1.1 From ab731f540896004f316fac3b7a9657a91a848ee1 Mon Sep 17 00:00:00 2001 From: Ermal Date: Thu, 26 May 2011 20:16:08 +0000 Subject: Bring more consistent style to CP edit mac and ip passthrough pages. --- usr/local/www/services_captiveportal_ip_edit.php | 3 +++ usr/local/www/services_captiveportal_mac_edit.php | 3 +++ 2 files changed, 6 insertions(+) diff --git a/usr/local/www/services_captiveportal_ip_edit.php b/usr/local/www/services_captiveportal_ip_edit.php index fd87c5b..01d52a2 100755 --- a/usr/local/www/services_captiveportal_ip_edit.php +++ b/usr/local/www/services_captiveportal_ip_edit.php @@ -159,6 +159,9 @@ include("head.inc"); + + +
+ + + "; echo ''; echo ''; echo ''; } @@ -2201,6 +2210,11 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" report_failure(); } } + function show_advanced_media() { + document.getElementById("showadvmediabox").innerHTML=''; + aodiv = document.getElementById('showmediaadv'); + aodiv.style.display = "block"; + } Date: Fri, 27 May 2011 15:32:02 +0000 Subject: Ticket #1534. Try to stop packages during reboot of system. --- etc/inc/system.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/inc/system.inc b/etc/inc/system.inc index e2c02aa..347de9b 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1251,6 +1251,7 @@ function system_reboot_cleanup() { captiveportal_radius_stop_all(); require_once("voucher.inc"); voucher_save_db_to_config(); + mwexec("/etc/rc.stop_packages"); } function system_do_shell_commands($early = 0) { -- cgit v1.1 From 685c977602be47c6b80204953d398171ca7cb0b9 Mon Sep 17 00:00:00 2001 From: jim-p Date: Fri, 27 May 2011 11:56:54 -0400 Subject: Some extra protection against putting empty values into the ruleset. --- etc/inc/filter.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 3ce44a3..47a3bad 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -429,7 +429,7 @@ function filter_generate_scrubing() { } /* disable scrub option */ foreach ($FilterIflist as $scrubif => $scrubcfg) { - if(isset($scrubcfg['virtual'])) + if(isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) continue; /* set up MSS clamping */ if($scrubcfg['mss'] <> "" && is_numeric($scrubcfg['mss']) && $scrubcfg['if'] != "pppoe" && $scrubcfg['if'] != "pptp" && @@ -518,7 +518,7 @@ function filter_generate_aliases() { $aliases .= "{$ifcfg[0]['descr']} = \"{ {$ifcfg[0]['if']}"; $aliases .= " }\"\n"; } - } else { + } elseif (!empty($ifcfg['descr']) && !empty($ifcfg['if'])) { $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; $aliases .= " }\"\n"; } -- cgit v1.1 From f40a03a45cc5394bd61861e1dcf327befac16eee Mon Sep 17 00:00:00 2001 From: jim-p Date: Fri, 27 May 2011 12:01:33 -0400 Subject: Only add pppoe to the interfaces list if it both has an entry and is in server mode (i.e. not disabled.) --- etc/inc/filter.inc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 47a3bad..e5e173c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -801,8 +801,8 @@ function filter_generate_optcfg_array() { $oic['virtual'] = true; $FilterIflist['l2tp'] = $oic; } - if (is_array($config['pppoes']['pppoe'])) { - $FilterIflist['pppoe'] = array(); + if (is_array($config['pppoes']['pppoe']) && (count($config['pppoes']['pppoe']) > 0)) { + $pppoeifs = array(); foreach($config['pppoes']['pppoe'] as $pppoe) { if ($pppoe['mode'] == "server") { $oic = array(); @@ -816,9 +816,11 @@ function filter_generate_optcfg_array() { $oic['sn'] = $pppoe['pppoe_subnet']; else $oic['sn'] = "32"; - $FilterIflist['pppoe'][] = $oic; + $pppoeifs[] = $oic; } } + if (count($pppoeifs)) + $FilterIflist['pppoe'] = $pppoeifs; } /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { -- cgit v1.1 From 58f963d0da3eb20f17a77bcb4a0b5e881ab39008 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Fri, 27 May 2011 13:06:29 -0400 Subject: Clarify auth option to include Vouchers --- usr/local/www/services_captiveportal.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php index 23e6cd9..586e569 100755 --- a/usr/local/www/services_captiveportal.php +++ b/usr/local/www/services_captiveportal.php @@ -474,7 +474,7 @@ value=""> + / -- cgit v1.1 From b45babaeb55ac039f498d13ce556f2d04d4db1f4 Mon Sep 17 00:00:00 2001 From: Evgeny Yurchenko Date: Fri, 27 May 2011 21:55:22 +0000 Subject: Bug #1403. Filter Rules description do not get saved when "(quote) present as character --- usr/local/www/firewall_nat_1to1_edit.php | 9 +++++++++ usr/local/www/firewall_nat_edit.php | 17 +---------------- usr/local/www/firewall_nat_out_edit.php | 9 +++++++++ 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php index e9f4577..135d0e9 100755 --- a/usr/local/www/firewall_nat_1to1_edit.php +++ b/usr/local/www/firewall_nat_1to1_edit.php @@ -99,6 +99,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface external"); diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 9895312..970720e 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -101,6 +101,7 @@ if (isset($_GET['dup'])) /* run through $_POST items encoding HTML entties so that the user * cannot think he is slick and perform a XSS attack on the unwilling */ +unset($input_errors); foreach ($_POST as $key => $value) { $temp = $value; $newpost = htmlentities($temp); @@ -173,7 +174,6 @@ if ($_POST) { $_POST['dsttype'] = "single"; } - unset($input_errors); $pconfig = $_POST; /* input validation */ @@ -290,9 +290,6 @@ if ($_POST) { } } - // Allow extending of the nat edit page and include custom input validation - pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation"); - if (!$input_errors) { $natent = array(); @@ -425,9 +422,6 @@ if ($_POST) { mark_subsystem_dirty('natconf'); - // Allow extending of the nat edit page and include custom input validation - pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config"); - write_config(); header("Location: firewall_nat.php"); @@ -446,11 +440,6 @@ include("fbegin.inc"); ?>
-- cgit v1.1 From b75d32e558bcf374ac807021545263b22470d529 Mon Sep 17 00:00:00 2001 From: Ermal Date: Thu, 26 May 2011 20:51:23 +0000 Subject: Free ipfw rule number after mac pass-through deletion. --- usr/local/www/services_captiveportal_mac.php | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/www/services_captiveportal_mac.php b/usr/local/www/services_captiveportal_mac.php index 25c250c..f42ac80 100755 --- a/usr/local/www/services_captiveportal_mac.php +++ b/usr/local/www/services_captiveportal_mac.php @@ -108,6 +108,7 @@ if ($_GET['act'] == "del") { if ($a_passthrumacs[$_GET['id']]) { $ruleno = captiveportal_get_ipfw_passthru_ruleno($a_passthrumacs[$_GET['id']]['mac']); if ($ruleno) { + captiveportal_free_ipfw_ruleno($ruleno); mwexec("/sbin/ipfw delete {$ruleno}; /sbin/ipfw delete " . ++$ruleno); } unset($a_passthrumacs[$_GET['id']]); -- cgit v1.1 From 13f0762d9c2f23e19eec13dc1041506c40051be8 Mon Sep 17 00:00:00 2001 From: Bill Marquette Date: Thu, 26 May 2011 22:28:19 -0500 Subject: Fix #1277 Wasn't able to remove the multicast RIPv2 discovery at startup, but all ripv1 response's are gone now. --- usr/local/pkg/routed.inc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/usr/local/pkg/routed.inc b/usr/local/pkg/routed.inc index 4d1b1d8..ec730d5 100644 --- a/usr/local/pkg/routed.inc +++ b/usr/local/pkg/routed.inc @@ -39,10 +39,15 @@ function setup_routed() { if (isset($config['installedpackages']['routed']['config'][0]['enable']) && $config['installedpackages']['routed']['config'][0]['enable'] == "on") { /* if user selected individual interfaces */ - $ifarr = explode(",", $config['installedpackages']['routed']['config'][0]['iface_array']); + $ifarr = array_flip(explode(",", $config['installedpackages']['routed']['config'][0]['iface_array'])); + $allifs = get_interface_arr(); if (!empty($ifarr)) { - foreach($ifarr as $ifname) { - $gw .= setup_etc_gateways($ifname, 'enable'); + foreach($allifs as $ifname) { + $friendly_ifname = convert_real_interface_to_friendly_interface_name($ifname); + if (array_key_exists($friendly_ifname, $ifarr)) + $gw .= setup_etc_gateways($ifname, 'enable'); + else + $gw .= setup_etc_gateways($ifname, 'disable'); } } else /* setup for all interfaces */ @@ -76,7 +81,7 @@ function setup_etc_gateways($iface="", $mode="") { } break; case "disable": - $ret .= "no_rip "; + $ret .= "no_rip_out no_solicit no_rdisc no_rdisc_adv"; break; default: -- cgit v1.1 From dfb30a896c7c6ccbc19330d8cc2ef00e20725f2c Mon Sep 17 00:00:00 2001 From: Ermal Date: Fri, 27 May 2011 07:56:11 +0000 Subject: Trigger reloading of packages through check_reload_status so it can serialize the calls to not DoS the OS with processes triggered from this. Ticket #1534 --- etc/rc.newwanip | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/rc.newwanip b/etc/rc.newwanip index 0395099..93eb089 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -51,7 +51,7 @@ function restart_packages() { /* restart packages */ system_ntp_configure(); log_error("{$g['product_name']} package system has detected an ip change $oldip -> $curwanip ... Restarting packages."); - mwexec_bg("/etc/rc.start_packages"); + send_event("reload packages"); } /* Interface IP address has changed */ -- cgit v1.1 From 224ddbadab18d56f6f6ffef408ff24f3c5161303 Mon Sep 17 00:00:00 2001 From: Ermal Date: Fri, 27 May 2011 08:24:32 +0000 Subject: Silence the route changing since it fills the logs with not needed info. --- etc/inc/vpn.inc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index f595c9b..2411caf 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -864,8 +864,7 @@ EOD; /* FIXME: does adding route-to and reply-to on the in/outbound * rules fix this? smos@ 13-01-2009 */ // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); - mwexec("/sbin/route delete -host {$rgip}"); - mwexec("/sbin/route add -host {$rgip} {$gatewayip}"); + mwexec("/sbin/route delete -host {$rgip}; /sbin/route add -host {$rgip} {$gatewayip}", true); } } } -- cgit v1.1 From 71070cc55fff338e93ed945e429b585acf72d4bb Mon Sep 17 00:00:00 2001 From: Ermal Date: Fri, 27 May 2011 10:45:05 +0000 Subject: Ticket #1545. Lock each dnsHost to be updated to prevent running two instances in parallell. --- etc/inc/dyndns.class | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 01209b9..e155c20 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -98,7 +98,9 @@ $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".debug"; log_error("DynDns: updatedns() starting"); - + + $dyndnslck = lock($dnsHost, LOCK_EX); + if (!$dnsService) $this->_error(2); switch ($dnsService) { case 'freedns': @@ -128,6 +130,7 @@ // Ensure that we where able to lookup the IP if(!is_ipaddr($this->_ifIP)) { log_error("There was an error trying to determine the IP for interface - {$dnsIf}({$this->_if}). Probably interface has no ip or is down. Dyndns update not possible for {$dnsService}."); + unlock($dyndnslck); return; } @@ -162,6 +165,8 @@ break; } } + + unlock($dyndnslck); } /* -- cgit v1.1 From 93b8df2a16137c737b5e7d16a070cb3e341cc1ec Mon Sep 17 00:00:00 2001 From: Ermal Date: Fri, 27 May 2011 10:46:33 +0000 Subject: Increase timeout to 2 minutes. Ticket #1545. --- etc/inc/dyndns.class | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index e155c20..65defb2 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -183,7 +183,7 @@ curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_INTERFACE, $this->_ifIP); - curl_setopt($ch, CURLOPT_TIMEOUT, 60); // Completely empirical + curl_setopt($ch, CURLOPT_TIMEOUT, 120); // Completely empirical } switch ($this->_dnsService) { @@ -966,7 +966,7 @@ curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address); curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); - curl_setopt($ip_ch, CURLOPT_TIMEOUT, 60); + curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120); $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); -- cgit v1.1 From 6e2a15e677fa0558ba0c9b1700be38f4065a76f6 Mon Sep 17 00:00:00 2001 From: Evgeny Yurchenko Date: Fri, 27 May 2011 15:21:25 +0000 Subject: Hiding mediaopt under Advanced button --- usr/local/www/interfaces.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index f7c80f8..9992830 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -1183,6 +1183,14 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" echo "
' . gettext("Speed and duplex") . ''; + echo '"; + echo '
"; + else echo '>'; echo '
'; echo gettext("Here you can explicitely set up speed and duplex mode for the interface."); + echo '
'; echo '
> -
> -- cgit v1.1 From 552605326ced208167bbf3d647fa612e4010a2b7 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Fri, 27 May 2011 13:27:34 -0400 Subject: Add note about voucher sync (only enable on slave nodes). --- usr/local/www/services_captiveportal_vouchers.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index bdef534..f5af953 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -568,7 +568,8 @@ function enable_change(enable_change) { -
+
+
- - @@ -828,10 +817,6 @@ include("fbegin.inc"); ?> - diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 4d960f2..5057ea8 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -115,6 +115,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface protocol source source_subnet destination destination_subnet"); -- cgit v1.1 From d97ff036ab05751ea499553792e0ae5fc73fb3f6 Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 30 May 2011 13:11:03 +0000 Subject: Prevent races on resovlconf generation as well by adding a lock. --- etc/inc/system.inc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 347de9b..72b2e0d 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -116,9 +116,12 @@ function system_resolvconf_generate($dynupdate = false) { } } + $dnslock = lock('resolvconf', LOCK_EX); + $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); if (!$fd) { printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + unlock($dnslock); return 1; } @@ -148,7 +151,9 @@ function system_resolvconf_generate($dynupdate = false) { } } } - + + unlock($dnslock); + return 0; } -- cgit v1.1 From 3dbceb92140459d4ffff77df33dcc150c4e01d00 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Mon, 30 May 2011 12:02:41 -0400 Subject: Include .inc files for plugin system --- etc/inc/pfsense-utils.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 01d3762..c75ae20 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2235,12 +2235,12 @@ function is_ipaddr_configured($ipaddr) { function pfSense_handle_custom_code($src_dir) { // Allow extending of the nat edit page and include custom input validation if(is_dir("$src_dir")) { - $cf = glob($src_dir); + $cf = glob($src_dir . "/*.inc"); foreach($cf as $nf) { if($nf == "." || $nf == "..") continue; // Include the extra handler - include("$src_dir/$nf"); + include("$nf"); } } } -- cgit v1.1 From 2ea00c3e74a0f574778ba3cf1ca8053fb7c000c3 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Mon, 30 May 2011 12:28:21 -0400 Subject: Add missing plugin code. Move the pre_write section up a bit. --- usr/local/www/firewall_nat_edit.php | 14 ++++++++++++++ usr/local/www/firewall_rules_edit.php | 6 +++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 970720e..5aa069c 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -290,6 +290,9 @@ if ($_POST) { } } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation"); + if (!$input_errors) { $natent = array(); @@ -410,6 +413,9 @@ if ($_POST) { mark_subsystem_dirty('filter'); } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config"); + // Update the NAT entry now if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -443,6 +449,10 @@ include("fbegin.inc"); ?> + + diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index d673df8..79f65f0 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -547,6 +547,9 @@ if ($_POST) { $filterent['associated-rule-id'] = $a_filter[$id]['associated-rule-id']; } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/pre_write_config"); + if (isset($id) && $a_filter[$id]) $a_filter[$id] = $filterent; else { @@ -558,9 +561,6 @@ if ($_POST) { filter_rules_sort(); - // Allow extending of the firewall edit page and include custom input validation - pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/pre_write_config"); - write_config(); mark_subsystem_dirty('filter'); -- cgit v1.1 From 2ba7d6f8effafed4a4eb40bbf68a363ce0f4817a Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Mon, 30 May 2011 15:25:25 -0400 Subject: Add plugin features to aon edit --- usr/local/www/firewall_nat_out_edit.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 5057ea8..9456206 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -46,7 +46,7 @@ require("filter.inc"); require("shaper.inc"); if (!is_array($config['nat']['advancedoutbound'])) - $config['nat']['advancedoutbound'] = array(); + $config['nat']['advancedoutbound'] = array(); if (!is_array($config['nat']['advancedoutbound']['rule'])) { $config['nat']['advancedoutbound']['rule'] = array(); @@ -218,6 +218,9 @@ if ($_POST) { } } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/input_validation"); + if (!$input_errors) { $natent = array(); $natent['source']['network'] = $osn; @@ -274,6 +277,9 @@ if ($_POST) { $natent['destination']['not'] = true; } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/pre_write_config"); + if (isset($id) && $a_out[$id]) { $a_out[$id] = $natent; } else { @@ -396,6 +402,10 @@ function poolopts_change() { +
+ -- cgit v1.1 From edb2a3dab4833fa024828f3150cdcc1521ea1b48 Mon Sep 17 00:00:00 2001 From: Evgeny Yurchenko Date: Mon, 30 May 2011 22:10:36 -0400 Subject: Bug#1528. Automatically create outbound NAT rules on WAN for localhost when switching to manual. --- usr/local/www/firewall_nat_out.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/usr/local/www/firewall_nat_out.php b/usr/local/www/firewall_nat_out.php index e6b5900..b8506d8 100755 --- a/usr/local/www/firewall_nat_out.php +++ b/usr/local/www/firewall_nat_out.php @@ -125,6 +125,17 @@ if (isset($_POST['save']) && $_POST['save'] == "Save") { $natent['natport'] = ""; $a_out[] = $natent; + $natent = array(); + $natent['source']['network'] = "127.0.0.0/8"; + $natent['dstport'] = ""; + $natent['descr'] = sprintf(gettext('Auto created rule for localhost to %1$s'),$ifdesc2); + $natent['target'] = ""; + $natent['interface'] = $if2; + $natent['destination']['any'] = true; + $natent['staticnatport'] = false; + $natent['natport'] = "1024:65535"; + $a_out[] = $natent; + /* PPTP subnet */ if (($config['pptpd']['mode'] == "server") && is_private_ip($config['pptpd']['remoteip'])) { $pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip'])+$config['pptpd']['n_pptp_units'])); -- cgit v1.1 From 061f28bfd582d1f08d8dfe60f87fc4fd99ec0a93 Mon Sep 17 00:00:00 2001 From: Evgeny Yurchenko Date: Tue, 31 May 2011 05:03:39 -0400 Subject: Bug #1560. IPsec GUI needs to reject duplicate subnets in phase 2s for a given phase 1(mobile clients). --- usr/local/www/vpn_ipsec_phase2.php | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index d45b0d6..bd71191 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -142,7 +142,34 @@ if ($_POST) { } /* TODO : Validate enabled phase2's are not duplicates */ - + if (isset($pconfig['mobile'])){ + foreach($a_phase2 as $name){ + if (isset($name['mobile'])){ + /* check duplicate localids only for mobile clents */ + if ($name['localid']['type'] == $pconfig['localid_type']){ + /* Types match, check further */ + switch($pconfig['localid_type']){ + case "none": + case "lan": + case "wan": + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; + case "address": + if ($name['localid']['address'] == $pconfig['localid_address']) + $input_errors[] = gettext("Phase2 with this Local Address is already defined for mobile clients."); + break; + case "network": + if ($name['localid']['address'] == $pconfig['localid_address'] && + $name['localid']['netbits'] == $pconfig['localid_netbits']) + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; + } + if (count($input_errors) > 0) + break; /* there is an error, stop checking other phase2 definitions */ + } + } + } + } $ealgos = pconfig_to_ealgos($pconfig); if (!count($ealgos)) { -- cgit v1.1 From 85055175a102caa0f0bd07f50546553b36d935c9 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 31 May 2011 11:57:49 -0400 Subject: Remove old vidcontrol cruft lingering from long long ago --- etc/rc.shutdown | 4 ---- 1 file changed, 4 deletions(-) diff --git a/etc/rc.shutdown b/etc/rc.shutdown index 14faf80..c7e8b25 100755 --- a/etc/rc.shutdown +++ b/etc/rc.shutdown @@ -5,10 +5,6 @@ if ! /usr/bin/lockf -s -t 30 /tmp/config.lock /usr/bin/true; then exit -1 fi -if [ -e /dev/ukbd0 ]; then - /usr/sbin/vidcontrol -s 2 -fi - product=`cat /etc/inc/globals.inc | grep product_name | cut -d'"' -f4` echo -- cgit v1.1 From 10d74dff5a96deeacc57b81bab723740267fc5b8 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 31 May 2011 12:35:17 -0400 Subject: Remove bogus protection. We have better handling of this now. --- usr/local/www/firewall_rules_edit.php | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 79f65f0..bd8f48d 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -253,19 +253,6 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; - /* run through $_POST items encoding HTML entties so that the user - * cannot think he is slick and perform a XSS attack on the unwilling - */ - foreach ($_POST as $key => $value) { - $temp = str_replace(">", "", $value); - - if (isset($_POST['floating']) && $key == "interface") - continue; - $newpost = htmlentities($temp); - if($newpost <> $temp) - $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); - } - /* input validation */ $reqdfields = explode(" ", "type proto"); if ( isset($a_filter[$id]['associated-rule-id'])===false ) { -- cgit v1.1 From db748384c13c38f2b4f3358d1980f74e79aacf77 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 31 May 2011 13:45:16 -0400 Subject: Add merge handler code --- usr/local/www/xmlrpc.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/usr/local/www/xmlrpc.php b/usr/local/www/xmlrpc.php index 97fbc45..7c2e1d0 100755 --- a/usr/local/www/xmlrpc.php +++ b/usr/local/www/xmlrpc.php @@ -271,8 +271,17 @@ $merge_config_section_sig = array( function merge_config_section_xmlrpc($raw_params) { global $config, $xmlrpc_g; - - return restore_config_section_xmlrpc($raw_params); + $params = xmlrpc_params_to_php($raw_params); + if(!xmlrpc_auth($params)) + return $xmlrpc_g['return']['authfail']; + $config_new = array_merge($config, $params[0]); + $config = $config_new; + $mergedkeys = implode(",", array_keys($params[0])); + $fd = fopen("/tmp/array.txt", "w"); + fwrite($fd, print_r($params[0], true)); + fclose($fd); + write_config(sprintf(gettext("Merged in config (%s sections) from XMLRPC client."), $mergedkeys)); + return $xmlrpc_g['return']['true']; } /*****************************/ -- cgit v1.1 From 485b1ca5ce2429d334b2d8de19a772752ab63b12 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 31 May 2011 13:47:53 -0400 Subject: Remove debugging code --- usr/local/www/xmlrpc.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/usr/local/www/xmlrpc.php b/usr/local/www/xmlrpc.php index 7c2e1d0..c534b43 100755 --- a/usr/local/www/xmlrpc.php +++ b/usr/local/www/xmlrpc.php @@ -277,9 +277,6 @@ function merge_config_section_xmlrpc($raw_params) { $config_new = array_merge($config, $params[0]); $config = $config_new; $mergedkeys = implode(",", array_keys($params[0])); - $fd = fopen("/tmp/array.txt", "w"); - fwrite($fd, print_r($params[0], true)); - fclose($fd); write_config(sprintf(gettext("Merged in config (%s sections) from XMLRPC client."), $mergedkeys)); return $xmlrpc_g['return']['true']; } -- cgit v1.1 From 456026b5425b64cba3d4632712c63a0c661a5e27 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 31 May 2011 13:50:00 -0400 Subject: Use pfsense.restore_config_section --- etc/rc.filter_synchronize | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index 6acadc0..af0e5cc 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -390,7 +390,7 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) { update_filter_reload_status("Signaling CARP reload signal..."); carp_sync_xml($synchronizetoip, $carp['password'], $sections, $port); if (is_array($mergesections)) - carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.merge_config_section'); + carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.restore_config_section'); $cli = new XML_RPC_Client('/xmlrpc.php', $synchronizetoip, $port); $params = array( XML_RPC_encode($carp['password']) -- cgit v1.1 From 0b581a8acf9fa470e66afebc1834660d0ee81942 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 31 May 2011 14:28:13 -0400 Subject: Use array_extend --- usr/local/www/xmlrpc.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/usr/local/www/xmlrpc.php b/usr/local/www/xmlrpc.php index c534b43..c869137 100755 --- a/usr/local/www/xmlrpc.php +++ b/usr/local/www/xmlrpc.php @@ -274,7 +274,7 @@ function merge_config_section_xmlrpc($raw_params) { $params = xmlrpc_params_to_php($raw_params); if(!xmlrpc_auth($params)) return $xmlrpc_g['return']['authfail']; - $config_new = array_merge($config, $params[0]); + $config_new = array_extend($config, $params[0]); $config = $config_new; $mergedkeys = implode(",", array_keys($params[0])); write_config(sprintf(gettext("Merged in config (%s sections) from XMLRPC client."), $mergedkeys)); @@ -454,4 +454,19 @@ $server = new XML_RPC_Server( unlock($xmlrpclockkey); +function array_extend($a, $b) { + foreach($b as $k=>$v) { + if( is_array($v) ) { + if( !isset($a[$k]) ) { + $a[$k] = $v; + } else { + $a[$k] = array_extend($a[$k], $v); + } + } else { + $a[$k] = $v; + } + } + return $a; +} + ?> -- cgit v1.1 From f9d7c5b3c44437b6f39fe757ede40decbfd395b9 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 31 May 2011 14:42:22 -0400 Subject: Use array_overlay() --- usr/local/www/xmlrpc.php | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/usr/local/www/xmlrpc.php b/usr/local/www/xmlrpc.php index c869137..500700a 100755 --- a/usr/local/www/xmlrpc.php +++ b/usr/local/www/xmlrpc.php @@ -274,7 +274,7 @@ function merge_config_section_xmlrpc($raw_params) { $params = xmlrpc_params_to_php($raw_params); if(!xmlrpc_auth($params)) return $xmlrpc_g['return']['authfail']; - $config_new = array_extend($config, $params[0]); + $config_new = array_overlay($config, $params[0]); $config = $config_new; $mergedkeys = implode(",", array_keys($params[0])); write_config(sprintf(gettext("Merged in config (%s sections) from XMLRPC client."), $mergedkeys)); @@ -454,19 +454,17 @@ $server = new XML_RPC_Server( unlock($xmlrpclockkey); -function array_extend($a, $b) { - foreach($b as $k=>$v) { - if( is_array($v) ) { - if( !isset($a[$k]) ) { - $a[$k] = $v; - } else { - $a[$k] = array_extend($a[$k], $v); + function array_overlay($a1,$a2) + { + foreach($a1 as $k => $v) { + if(!array_key_exists($k,$a2)) continue; + if(is_array($v) && is_array($a2[$k])){ + $a1[$k] = array_overlay($v,$a2[$k]); + }else{ + $a1[$k] = $a2[$k]; } - } else { - $a[$k] = $v; } + return $a1; } - return $a; -} ?> -- cgit v1.1 From 0ca52cfffdd7f043dbcca3159668992611504f86 Mon Sep 17 00:00:00 2001 From: Bill Marquette Date: Tue, 31 May 2011 13:32:25 -0700 Subject: fix typoes --- etc/rc.stop_packages | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) mode change 100755 => 100644 etc/rc.stop_packages diff --git a/etc/rc.stop_packages b/etc/rc.stop_packages old mode 100755 new mode 100644 index 95e77fd..f20fa04 --- a/etc/rc.stop_packages +++ b/etc/rc.stop_packages @@ -51,7 +51,7 @@ else { if (is_array($config['installedpackages']['package'])) { foreach($config['installedpackages']['package'] as $package) { - echo " Stoping package {$package['name']}..."; + echo " Stopping package {$package['name']}..."; stop_service($package['name']); unset($rcfiles["{$rcfileprefix}{$package['name']}.sh"]); echo "done.\n"; @@ -61,7 +61,7 @@ if (is_array($config['installedpackages']['package'])) { $shell = @popen("/bin/sh", "w"); if ($shell) { foreach ($rcfiles as $rcfile => $number) { - echo " Stoping {$rcfile}..."; + echo " Stopping {$rcfile}..."; fwrite($shell, "{$rcfile} stop >>/tmp/bootup_messages 2>&1"); echo "done.\n"; } -- cgit v1.1 From 538b6eb353ce568627513e681483329ecb0d1ec8 Mon Sep 17 00:00:00 2001 From: Evgeny Yurchenko Date: Tue, 31 May 2011 23:41:32 -0400 Subject: Bug #1560. IPsec GUI needs to reject duplicate subnets in phase 2s for a given phase 1(site-to-site). --- usr/local/www/vpn_ipsec_phase2.php | 43 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index bd71191..c0ddf0e 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -141,8 +141,9 @@ if ($_POST) { } } - /* TODO : Validate enabled phase2's are not duplicates */ + /* Validate enabled phase2's are not duplicates */ if (isset($pconfig['mobile'])){ + /* User is adding phase 2 for mobile phase1 */ foreach($a_phase2 as $name){ if (isset($name['mobile'])){ /* check duplicate localids only for mobile clents */ @@ -169,7 +170,45 @@ if ($_POST) { } } } - } + }else{ + /* User is adding phase 2 for site-to-site phase1 */ + $input_error = 0; + foreach($a_phase2 as $name){ + if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid']){ + /* check duplicate subnets only for given phase1 */ + if ($name['localid']['type'] == $pconfig['localid_type'] && + $name['remoteid']['type'] == $pconfig['remoteid_type']){ + /* Types match, check further */ + $configured_remote_string = $name['remoteid']['address'] . $name['remoteid']['netbits']; + $eneterd_remote_string = $pconfig['remoteid_address'] . $pconfig['remoteid_netbits']; + switch($pconfig['localid_type']){ + case "none": + case "lan": + case "wan": + if ($configured_remote_string == $eneterd_remote_string) + $input_error = 1; + break; + case "address": + if ($name['localid']['address'] == $pconfig['localid_address'] && + $configured_remote_string == $eneterd_remote_string) + $input_error = 1; + break; + case "network": + if ($name['localid']['address'] == $pconfig['localid_address'] && + $name['localid']['netbits'] == $pconfig['localid_netbits'] && + $configured_remote_string == $eneterd_remote_string) + $input_error = 1; + break; + } + if ($input_error){ + $input_errors[] = gettext("Phase2 with this Local/Remote Networks combination is already defined for this Phase1."); + break; /* there is an error, stop checking other phase2 definitions */ + } + } + } + } + } + $ealgos = pconfig_to_ealgos($pconfig); if (!count($ealgos)) { -- cgit v1.1 From 6b421a0fb42a50d1e87ac63c64a5b8b8d2157577 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 1 Jun 2011 10:46:55 +0000 Subject: Fixes #944. Use the correct interface name to destroy the previous vlan if the parent is changed. --- usr/local/www/interfaces_vlan_edit.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/usr/local/www/interfaces_vlan_edit.php b/usr/local/www/interfaces_vlan_edit.php index 145fe0a..078fc3b 100755 --- a/usr/local/www/interfaces_vlan_edit.php +++ b/usr/local/www/interfaces_vlan_edit.php @@ -97,9 +97,13 @@ if ($_POST) { if (!$input_errors) { if (isset($id) && $a_vlans[$id]) { - if ($a_vlans[$id]['if'] != $_POST['if']) - // Destroy previous vlan - pfSense_interface_destroy($a_vlans[$id]['if']); + if ($a_vlans[$id]['if'] != $_POST['if']) { + if (!empty($a_vlans[$id]['vlanif'])) + // Destroy previous vlan + pfSense_interface_destroy($a_vlans[$id]['vlanif']); + else + pfSense_interface_destroy("{$a_vlans[$id]['if']}_vlan{$a_vlans[$id]['tag']}"); + } } $vlan = array(); $vlan['if'] = $_POST['if']; -- cgit v1.1 From 695a35aecdf3eefc4d529b57dabb1b5c0018e9c9 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 1 Jun 2011 10:49:02 +0000 Subject: Ticket #944. Also destory the previous interface if the user changing the vlan tag of an existing vlan entry. --- usr/local/www/interfaces_vlan_edit.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/www/interfaces_vlan_edit.php b/usr/local/www/interfaces_vlan_edit.php index 078fc3b..08f1a53 100755 --- a/usr/local/www/interfaces_vlan_edit.php +++ b/usr/local/www/interfaces_vlan_edit.php @@ -97,7 +97,7 @@ if ($_POST) { if (!$input_errors) { if (isset($id) && $a_vlans[$id]) { - if ($a_vlans[$id]['if'] != $_POST['if']) { + if (($a_vlans[$id]['if'] != $_POST['if']) || ($a_vlans[$id]['tag'] != $_POST['tag'])) { if (!empty($a_vlans[$id]['vlanif'])) // Destroy previous vlan pfSense_interface_destroy($a_vlans[$id]['vlanif']); -- cgit v1.1 From 97c1f2684c5dd225075fec08148f084ff190af0a Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 1 Jun 2011 11:14:51 +0000 Subject: Fixes #1412. Properly pass the page to match so users are not always presented with the change password screen. --- usr/local/www/system_usermanager.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index d810cb9..597aefd 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -49,7 +49,7 @@ require("certs.inc"); require("guiconfig.inc"); -if (isAllowedPage("system_usermanager")) { +if (isAllowedPage("system_usermanager*")) { // start admin user code $pgtitle = array(gettext("System"),gettext("User Manager")); -- cgit v1.1
   
@@ -817,6 +827,10 @@ include("fbegin.inc"); ?>
   
@@ -629,6 +639,10 @@ any)");?>
  -- cgit v1.1 From a3d58a12bf8a153c490f6946e796fb79a2e6957e Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Mon, 30 May 2011 15:27:50 -0400 Subject: Use aon plugin --- usr/local/www/firewall_nat_out_edit.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 9456206..72bc556 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -641,7 +641,7 @@ any)");?>